Patient Record Snooping Incident Leads to GDPR FineHospital in The Netherlands Slapped With Fine; May Face Additional Penalties
Authorities in the Netherlands recently levied a 460,000 ($516,000) fine under the General Data Protection Regulation against a hospital in the Hague in connection with a data breach involving "dozens" of staffers who snooped on the electronic medical records of a celebrity.
The Dutch Supervisory Authority - or Authoriteit Persoonsgegevens - says it fined Haga Hospital in the Hague after a 2018 data breach involving workers who inappropriately accessed the medical records of "a well-known Dutch person."
The news site Dutch News reports the data incident involved the records of a reality TV star, Samantha de Jong - known as "Barbie" - who was hospitalized at Haga Hospital last year.
Security Controls Lacking
The Haga Hospital "does not have the internal security of patient records in order," the Dutch data protection agency says in its statement.
An investigation by the agency found that Haga Hospital "has not met and does not meet the requirement of two-factor authentication and regular review of log files," the statement says.
As a result, the hospital has taken "insufficient appropriate measures" that are called for under GDPR, the statement says.
In addition to levying the fine for insufficient security, the agency says it will issue other fines if the hospital if it does not improve its security practices.
"To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before Oct. 2, the hospital must pay 100,000 euros every two weeks, with a maximum of 300,000 euros," the statement says.
Haga Hospital has indicated it will take measures to bolster its security, the Dutch authority notes.
Portuguese Hospital Fined Earlier
Back in January, it was revealed that authorities in Portugal fined Centro Hospitalar Barreiro Montijo 400,000 ($458,000) for three violations of GDPR (see GDPR Compliance: Tougher Than HIPAA Compliance?).
"Access controls, policies and procedures, and sanctions regarding impermissible uses of PHI are some of the most important tools in the healthcare entity tool chest when it comes to employee snooping."
—Iliana Peters, Polsinelli
The Portuguese hospital's GDPR infractions included allowing indiscriminate access to patient's clinical information to an excessive number of users, failing to apply technical and organizational measures to prevent unlawful access to personal data and failing to implement technical and organizational measures to ensure an adequate level of security, according to a report about the enforcement case by the International Association of Privacy Professionals.
The GDPR case against the hospital in the Netherlands has some similarities to the Portugal case, says attorney Elizabeth Harding, of the law firm Polsinelli.
"It is interesting that, again, this [Netherlands] fine does not relate to an external hacking type of security incident, but rather a failure to secure access to data at the system level," she says.
"This is a similar situation to that of Centro Hospitalar Barreiro Montijo, which was fined last year for, among other things, failure to put in place appropriate access controls. Both of these cases highlight the need to review system access to ensure that access is limited to personnel with a genuine need to know, put in place appropriate internal policies and procedures to enforce those access controls and offer training to ensure that personnel understand why they are in place and the implications of breaching them."
Medical record snooping cases - along the lines of the Netherlands incident - have also been a problem in the U.S.
For instance, UCLA Health System in 2011 entered a resolution agreement with the U.S. Department of Health and Human Services as a result of a record snooping incident. The hospital paid a $865,500 penalty and agreed to a corrective action plan aimed at improving its HIPAA compliance.
Two celebrity patients alleged that UCLA employees repeatedly viewed their electronic protected health information, as well as those of other patients, without permission.
"Access controls, policies and procedures, and sanctions regarding impermissible uses of PHI are some of the most important tools in the healthcare entity tool chest when it comes to employee snooping," says privacy attorney Iliana Peters of the law firm Polsinelli, who is a former official at the U.S. Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
"Employees only comply with policies, procedures and legal requirements if they know there will be consequences if they don't, so sanctions must be applied fairly across the enterprise and immediately upon discovery of infractions," she says.
GDPR Fines in the News
Earlier this month, Britain's data protection authority, the Information Commissioner's Office, announced a proposed fine of 184 million ($230 million) against British Airways after breaches last September and October enabled attackers to route customers to a fraudulent site, exposing 500,000 customers' personal details.
The ICO also confirmed a proposed fine of £99 million ($125 million) against Marriott International for its failure to stop a four-year breach that globally exposed approximately 339 million customer records.